CSOonline: How Risk-Based Authentication has become an essential security tool

It used to be that adaptive authentication (also called risk-based authentication or RBA) forced a trade-off between usability and security, but that is no longer the case. A few years ago, security managers placed security above usability, forcing users to be like Chicago voters: authenticate early and often. Today’s RBA tools can improve overall customer experience and help compliance regulations as well as simplifying a patchwork of numerous legacy banking technologies.

Based on my experience with some of these products, RBA has matured and become more compelling, particularly when compared to static and more traditional multi-factor authentication (MFA) methods. RBA has also become more compelling as the typical enterprise attack surface has expanded and evolved.

In this article for CSOonline, I discuss some of these compelling reasons for RBA, some of the leading RBA vendors, and what potential buyers should consider.

Corporate blogging rules of the road (and bonus podcast)

Let’s talk about what makes for a successful corporate blog and how you can assemble one of your own. Blogs are an essential element of any corporate marketing strategy, and should be the linchpin of creating an integrated digital marketing campaign that includes email newsletters, social media posts, and other kinds of content. But if you don’t have a strong blog, you will have a difficult time executing any solid marketing campaign.

I have written about corporate blogging for more than 13 years, including this story that ran in Computerworld, and contributed to dozens of different corporate blogs (in addition to running some websites that could be considered blogs if they were created in the modern era). Jeremiah Owyang once said that you shouldn’t accept blogging advice from people that are not bloggers. Given that he has blogged for as long (if not longer) than I have, he is worth paying attention to. I am writing about this again thanks to being inspired by a recent article about Autodesk and its 200-some corporate blogs.

Autodesk is the company behind AutoCAD and some 170 other products that are based on that industry segment. When you first see how many blogs they have, you think: that can’t possibly be the right strategy for them. But the more you look into what they are doing, the more you understand that this is actually brilliant. These different blogs (some of which you can see in the screen capture here) show something more than just quantity. For example, each Autodesk product and blog has its own dedicated marketing team, so it’s up to each to decide how to structure its operation and tell it’s own story. So as you are examining what Autodesk is doing, here are a few pointers.

First is understanding the key elements in assembling your team that will staff and run a blog. It is more akin to running a publication (something that I have done numerous times over my career in both print and online), but you may not have editorial and production people in-house. That is why it could make sense to outsource part of these back or front office functions of the blog to operations such as Skyword or Contently. While you pay a premium for these services, they can deliver benefits if you don’t have the time, skills or staff to handle these functions. Another part of successful blogging is creating an editorial calendar and planning what you will cover in the next quarter (or longer if you can), posting regularly and selecting the right topics. This makes it easier to assign posts and organize your campaigns.

Next, you need to understand your audience focus and define what the overall purpose of the blog or blogs will be, as well as adjusting to the appropriate level of knowledge for a particular readership. This is something that you want to do up front, before you start creating any posts.

It is also important to take the long view about your blog or blogs; on the Internet, content is eternal and many corporate marketers often make the mistake of having a blog stand up for just a particular campaign. I often get inquiries from something that I posted ten years ago. Many of the blogs and pubs that I have written for have taken down their content. Newsflash: storage and domain services are cheap these days.

Part of any successful blog is also figuring out what your metrics for success are, and that should involve more than just counting simple page views. While we all watch that particular statistic, it doesn’t tell the entire story, such as how engaged our readers are and how many of them convert to trial product versions or refer others who become customers. Figure out how you can track these things effectively.

Finally, make sure you pay your external writers quickly and without a lot of paperwork, otherwise they will migrate elsewhere. (That is where the outsourced back office providers can help.) I know this sounds somewhat self-serving, but I have seen many fine pubs lose talented writers who get frustrated when payments stretch out for months.

If you haven’t had enough suggestions, or if you want to send these suggestions to someone who is a more auditory learner, you can listen to a 20 minute podcast that Paul Gillin and I put together for our FIR B2B episode this week here.

CSOonline: 4 open source red-team ATT&CK-based tools reviewed

In an article that I wrote last week for CSOonline, I described the use of a red team framework from Mitre called ATT&CK. in my post this week, I compare four free open source tools that leverage this framework and how they can be deployed to help expose your network vulnerabilities. The four tools are:

  • Endgame’s Red Team Automation (RTA),
  • Mitre’s own Caldera,
  • Red Canary’s Atomic Red, and
  • Uber’s Metta

Each have their good and bad points. You can read my review here.

CSOonline: What is Mitre’s ATT&CK framework and what red teams need to know

The ATT&CK framework, developed by Mitre Corp., has been around for five years and is a living, growing document of threat tactics and techniques that have been observed from millions of attacks on enterprise networks. The funky acronym stands for Adversarial Tactics, Techniques, and Common Knowledge. It began as an internal project and morphed into this behemoth of a public knowledge base. In this post for CSOonline, I discuss what ATT&CK is, how it can be used, and how some of the numerous security vendors and consultants have picked up on using it.

Security Intelligence blog: Understanding the Relationship Between AI and Cybersecurity

The first thing many of us think about when it comes to the future relationship between artificial intelligence (AI) and cybersecurity is Skynet from the “Terminator” movie franchise. But I spoke with Dudu Mimram,  the CTO at Telekom Innovation Laboratories when I was in Israel earlier this month, and he has a somewhat rosier view. He suggested that AI must be understood across a broader landscape, regarding how it will influence cybersecurity and how IT can use AI to plan for future security technology purchases.You can read my blog post in IBM’s Security Intelligence here.

StateTech: Best practices for single sign-on technologies for state IT departments

The days when users are required to remember numerous complex passwords may be coming to an end, as single sign-on (SSO) technologies are finally taking hold in state and local agencies. SSO tools provide a number of valuable security benefits. Among them are to better bridge the gap between cloud and on-premises servers, applications and services and they help agencies prevent the proliferation of bad passwords. You can read more details in this first piece for StateTech magazine.

Several factors have brought this about: better technology, a wider selection of identity management tools, lower-cost SSO alternatives and a heightened awareness of massive password breaches. State and local agencies should keep several important factors in mind as they consider SSO solutions, as I wrote about in a second article for StateTech magazine recently.

My most recent comparative review for Network World on SSO tools was done in 2015 and gave Centrify (shown here) and Okta the highest marks.

CSO Online: Inside RSA’s state-of-the-art fraud intelligence command center

As cybercriminals get better at compromising financial accounts and stealing funds, vendors are beefing up their defensive tools to prevent fraud and abuse. I had an opportunity while I was in Israel to visit Daniel Cohen (shown here) of RSA’s Anti-Fraud Command Center (AFCC), the nerve center of a division that is devoted to protecting consumers’ financial records and funds. The AFCC is an example of what a state-of-the-art web threat and fraud intelligence operation looks like. Here is my report for CSO Online.

CSO Online: 10 questions to answer before running a capture the flag (CTF) contest

Capture-the-flag (CTF) contests have been around for decades. One of the longest-running and more popular series began at the Vegas DEFCON show in 1996 and attracts thousands of participants. Running your own CTF contest can build security skills and help identify new internal and external talent. In this article for CSO Online, I compare CTFs with cyber ranges such as CyberGym (shown here) so you can learn what types of challenges you need to include for your own contest, how to make the contest run smoothly, and other logistics to consider.

BrianMadden.com: An introduction to FIDO

Many years ago, the idea of making a more universal multi-factor authentication (MFA) token seemed like a good idea. Back then, hardware tokens were proliferating, and so were the number of logins for different web-based services. Out of that era, the Fast Identity Online (FIDO) Alliance was created in July 2012 and publicly announced in February 2013 to try to bring some standards to this arena. Since then, the FIDO standards have gone through several revisions and extensions, and more than 100 vendors have joined the non-profit association, including some of the largest names in the identity and authentication business.

While it has taken a while to gain traction, FIDO is now at an inflection point and has reached sufficient maturity that deploying it isn’t a matter of if, but when for most enterprises.

You can read my post on FIDO for BrianMadden.com today.